WARNING: Version 5.0 of Kibana has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Securing Console
editSecuring Console
editConsole is meant to be used as a local development tool. As such, it will send requests to any host & port combination,
just as a local curl command would. To overcome the CORS limitations enforced by browsers, Console’s Node.js backend
serves as a proxy to send requests on behalf of the browser. However, if put on a server and exposed to the internet
this can become a security risk. In those cases, we highly recommend you lock down the proxy by setting the
console.proxyFilter
setting. The setting accepts a list of regular expressions that are evaluated against each URL
the proxy is requested to retrieve. If none of the regular expressions match the proxy will reject the request.
Here is an example configuration the only allows Console to connect to localhost:
console.proxyFilter: - ^https?://(localhost|127\.0\.0\.1|\[::0\]).*
You will need to restart Kibana for these changes to take effect.